Home News Adorcam App Leaks Millions of User Records via ElasticSearch Database

Adorcam App Leaks Millions of User Records via ElasticSearch Database

An unsecured ElasticSearch database belonging to the Adorcam app exposed credentials, hostname, and port for the MQTT server, allowing threat actors to download, delete, or modify the data.

Data leak

ElasticSearch has been in the news for a very long time now. And mostly for all the wrong reasons. Yet again, an unsecured ElasticSearch database exposed a massive number of users’ sensitive information online. According to the security researcher Justin Paine, the leaky database belongs to Adorcam, a webcam application for viewing and controlling several webcam models.

Justin Paine stated that the database contained over 124 million rows of data (around 51 GB in size) that belonged to several thousands of Adorcam app users. The unsecured database has been leaking users’ information since January 4, 2021. The exposed data included user email addresses, hashed passwords, Wi-Fi network name, client IP, user Id, web camera serial number, web camera settings including microphone state, country geolocation, SSID / wireless network, name, and images captured by the web cameras.

The leaked information also included sensitive details about the MQTT server, a common standard messaging protocol for the Internet of Things (IoT) server. Adorcam secured the database after Paine reported the issue to the concerned authorities.

“I was browsing BinaryEdge and Shodan when I discovered yet another exposed ElasticSearch database. This database was eventually identified to be owned by Adorcam. The Google Play Store indicates that the Android version of their mobile app has 10,000+ installs,” Paine said.

Paine also discovered that the camera was uploading captured pictures from the webcam to Adorcam’s cloud storage. He suspects that the database was updating live, capturing the latest information from the app.

Data Leak Impact

Threat actors could exploit the exposed information for various social engineering and phishing attacks. They can leverage the leaked credentials, hostname, and port for the MQTT server to download, delete, or modify the information.

“The malicious actor would have plenty of details to establish trust and credibility with the victim of the phishing attack. The attacker also had geographic information to launch a targeted attack in the user’s native language,” Paine added.